[kernel-hardening] [PATCH] KERNEL: resource: Fix bug on leakage in /proc/iomem file

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Emrah Demir < ed@abdsec.com >
To: linux-kernel@vger.kernel.org
Cc: keescook@chromium.org, dan.j.rosenberg@gmail.com,
	kernel-hardening@lists.openwall.com,
	torvalds@linux-foundation.org, davej@redhat.com,
	Emrah Demir <ed@abdsec.com>
Subject: [kernel-hardening] [PATCH] KERNEL: resource: Fix bug on leakage in /proc/iomem file
Date: Wed,  6 Apr 2016 16:03:02 +0300	[thread overview]
Message-ID: <1459947782-5071-1-git-send-email-ed@abdsec.com> (raw)

From: Emrah Demir <ed@abdsec.com>

Even though KASLR is aiming to mitigate remote attacks, with a simple LFI vulnerability through a web application, local leaks become as important as remote ones.
On the KASLR enabled systems in order to achieve expected protection, some files are needed to edited/modified to prevent leaks.

/proc/iomem file leaks offset of text section. By adding 0x80000000, Attackers can get _text base address. KASLR will be bypassed.

$ cat /proc/iomem | grep 'Kernel code'
38600000-38b7fe92 : Kernel code
$ python -c 'print hex(0x38600000 + 0x80000000)'
0xb8600000
# cat /proc/kallsyms | grep 'T _text'
ffffffffb8600000 T _text

By this patch after insertion resources, start and end address are zeroed. /proc/iomem and /proc/ioports sources, which use request_resource and insert_resource now shown as 0 value.

Signed-off-by: Emrah Demir <ed@abdsec.com>
---
 kernel/resource.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/kernel/resource.c b/kernel/resource.c
index 2e78ead..5b9937e 100644
--- a/kernel/resource.c
+++ b/kernel/resource.c
@@ -321,6 +321,8 @@ int request_resource(struct resource *root, struct resource *new)
 	struct resource *conflict;
 
 	conflict = request_resource_conflict(root, new);
+	new->start = 0;
+	new->end = 0;
 	return conflict ? -EBUSY : 0;
 }
 
@@ -864,6 +866,8 @@ int insert_resource(struct resource *parent, struct resource *new)
 	struct resource *conflict;
 
 	conflict = insert_resource_conflict(parent, new);
+	new->start = 0;
+	new->end = 0;
 	return conflict ? -EBUSY : 0;
 }
 EXPORT_SYMBOL_GPL(insert_resource);
-- 
2.8.0.rc3

WARNING: multiple messages have this Message-ID (diff)

From: Emrah Demir <ed@abdsec.com>
To: linux-kernel@vger.kernel.org
Cc: keescook@chromium.org, dan.j.rosenberg@gmail.com,
	kernel-hardening@lists.openwall.com,
	torvalds@linux-foundation.org, davej@redhat.com,
	Emrah Demir <ed@abdsec.com>
Subject: [PATCH] KERNEL: resource: Fix bug on leakage in /proc/iomem file
Date: Wed,  6 Apr 2016 16:03:02 +0300	[thread overview]
Message-ID: <1459947782-5071-1-git-send-email-ed@abdsec.com> (raw)

From: Emrah Demir <ed@abdsec.com>

Even though KASLR is aiming to mitigate remote attacks, with a simple LFI vulnerability through a web application, local leaks become as important as remote ones.
On the KASLR enabled systems in order to achieve expected protection, some files are needed to edited/modified to prevent leaks.

/proc/iomem file leaks offset of text section. By adding 0x80000000, Attackers can get _text base address. KASLR will be bypassed.

$ cat /proc/iomem | grep 'Kernel code'
38600000-38b7fe92 : Kernel code
$ python -c 'print hex(0x38600000 + 0x80000000)'
0xb8600000
# cat /proc/kallsyms | grep 'T _text'
ffffffffb8600000 T _text

By this patch after insertion resources, start and end address are zeroed. /proc/iomem and /proc/ioports sources, which use request_resource and insert_resource now shown as 0 value.

Signed-off-by: Emrah Demir <ed@abdsec.com>
---
 kernel/resource.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/kernel/resource.c b/kernel/resource.c
index 2e78ead..5b9937e 100644
--- a/kernel/resource.c
+++ b/kernel/resource.c
@@ -321,6 +321,8 @@ int request_resource(struct resource *root, struct resource *new)
 	struct resource *conflict;
 
 	conflict = request_resource_conflict(root, new);
+	new->start = 0;
+	new->end = 0;
 	return conflict ? -EBUSY : 0;
 }
 
@@ -864,6 +866,8 @@ int insert_resource(struct resource *parent, struct resource *new)
 	struct resource *conflict;
 
 	conflict = insert_resource_conflict(parent, new);
+	new->start = 0;
+	new->end = 0;
 	return conflict ? -EBUSY : 0;
 }
 EXPORT_SYMBOL_GPL(insert_resource);
-- 
2.8.0.rc3

next             reply	other threads:[~2016-04-06 13:03 UTC|newest]

Thread overview: 39+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-04-06 13:03 Emrah Demir [this message]
2016-04-06 13:03 ` [PATCH] KERNEL: resource: Fix bug on leakage in /proc/iomem file Emrah Demir
2016-04-06 15:20 ` [kernel-hardening] " Linus Torvalds
2016-04-06 15:20   ` Linus Torvalds
2016-04-06 17:54   ` [kernel-hardening] " Linus Torvalds
2016-04-06 17:54     ` Linus Torvalds
2016-04-06 18:05     ` [kernel-hardening] " ed
2016-04-06 18:05       ` ed
2016-04-06 18:21       ` [kernel-hardening] " Kees Cook
2016-04-06 18:21         ` Kees Cook
2016-04-06 18:31       ` [kernel-hardening] " Linus Torvalds
2016-04-06 18:31         ` Linus Torvalds
2016-04-06 18:37         ` [kernel-hardening] " Kees Cook
2016-04-06 18:37           ` Kees Cook
2016-04-06 18:43           ` [kernel-hardening] " Linus Torvalds
2016-04-06 18:43             ` Linus Torvalds
2016-04-06 18:53             ` [kernel-hardening] " Yves-Alexis Perez
2016-04-06 19:02               ` Linus Torvalds
2016-04-06 19:11                 ` Yves-Alexis Perez
2016-04-06 19:19                   ` Borislav Petkov
2016-04-06 20:49                 ` Ingo Molnar
2016-04-06 19:23             ` Bjørn Mork
2016-04-06 19:23               ` Bjørn Mork
2016-04-06 18:52       ` [kernel-hardening] " Christian Kujau
2016-04-06 18:52         ` Christian Kujau
2016-04-06 18:53         ` [kernel-hardening] " Kees Cook
2016-04-06 18:53           ` Kees Cook
2016-04-06 21:19     ` [kernel-hardening] " Linus Torvalds
2016-04-06 21:19       ` Linus Torvalds
2016-04-06 21:27       ` [kernel-hardening] " Kees Cook
2016-04-06 21:27         ` Kees Cook
2016-04-06 21:32         ` [kernel-hardening] " Linus Torvalds
2016-04-06 21:32           ` Linus Torvalds
2016-04-14  4:27       ` [kernel-hardening] " Kees Cook
2016-04-14  4:27         ` Kees Cook
2016-04-14  7:39         ` [kernel-hardening] " Emrah Demir
2016-04-14  7:39           ` Emrah Demir
2016-04-06 18:03 ` [kernel-hardening] " Kees Cook
2016-04-06 18:03   ` Kees Cook

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:2e78ead dfblob:5b9937e dfblob:2e78ead dfblob:5b9937e )
 OR (
bs:"[PATCH] KERNEL: resource: Fix bug on leakage in /proc/iomem file" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1459947782-5071-1-git-send-email-ed@abdsec.com \
    --to=ed@abdsec.com \
    --cc=dan.j.rosenberg@gmail.com \
    --cc=davej@redhat.com \
    --cc=keescook@chromium.org \
    --cc=kernel-hardening@lists.openwall.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=torvalds@linux-foundation.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.